a46f5d08adda807b8db387efc3d745bd9eb1bacc63746128796a676c5081672e

Analysis

max time kernel
137s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-08-2024 23:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Aimmy.zip
Size

437KB
MD5

5ce64b05117855617926b1a363ba456e
SHA1

9d5a57eacd1dc324029ccb618695539abe06094f
SHA256

a46f5d08adda807b8db387efc3d745bd9eb1bacc63746128796a676c5081672e
SHA512

52e8d006a61d29c90f5e69dbbafe6e5ec83c5491009dde9340b67eb8683f91c79d772bd5a12a38a42915f9b13d04e95ccf06c84dc761e9d767f4245198cb8896
SSDEEP

6144:VdihPxjyUp3HlKPXbZGCUgFtiqIOLxitBanEBakL6QHViplLCt42sTBJZfYfAYVn:VdiLyGHlKPsQIOLYBaEeQ1gNCtpeZZYx

Score

6^/10

discovery

Malware Config

Signatures

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
89	ip-api.com

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Setup\Scripts\ErrorHandler.cmd	compiler.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	compiler.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\msxml3r.dll,-1 = "XML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-124 = "Microsoft Word Macro-Enabled Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9937 = "3GPP Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-115 = "Microsoft Excel 97-2003 Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000087562f5e30e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9908 = "Wave Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9938 = "3GPP2 Audio/Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\acppage.dll,-6003 = "Windows Command Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Common Files\system\wab32res.dll,-10100 = "Contacts"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{1E589E9D-8A8D-46D9-A2F9-E6D4F8161EE9} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a15ad25d30e5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{97E467B4-98C6-4F19-9588-161B7773D6F6} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000fd44fd5d30e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.htm\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000005c47bf5d30e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4804 = "JavaScript File"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000040f9cf5d30e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\Windows.UI.Immersive.dll,-38304 = "Public Account Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mid\OpenWithList	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AEB16279-B750-48F1-8586-97956060175A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000091eda85e30e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aif	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-101 = "Microsoft Excel Worksheet"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5985FC23-2588-4D9A-B38B-7E7AFFAB3155} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000061f8ee5d30e5da01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E46787A1-4629-4423-A693-BE1F003B2742} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000000f554e5e30e5da01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9910 = "Windows Media Audio/Video playlist"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21825 = "3D Objects"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-107 = "Microsoft Excel Comma Separated Values File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000b0b56f5e30e5da01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@"C:\Windows\system32\windowspowershell\v1.0\powershell.exe",-103 = "Windows PowerShell Script"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.snd\OpenWithList	SearchProtocolHost.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
5060	NOTEPAD.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4864	schtasks.exe
1760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2844	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	2844	SearchIndexer.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe
Token: SeShutdownPrivilege	4392	chrome.exe
Token: SeCreatePagefilePrivilege	4392	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe
4392	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2456	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2612	2844	SearchIndexer.exe	89
PID 2844 wrote to memory of 2612	2844	SearchIndexer.exe	89
PID 2844 wrote to memory of 1224	2844	SearchIndexer.exe	90
PID 2844 wrote to memory of 1224	2844	SearchIndexer.exe	90
PID 4392 wrote to memory of 1348	4392	chrome.exe	94
PID 4392 wrote to memory of 1348	4392	chrome.exe	94
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 116	4392	chrome.exe	95
PID 4392 wrote to memory of 3536	4392	chrome.exe	96
PID 4392 wrote to memory of 3536	4392	chrome.exe	96
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97
PID 4392 wrote to memory of 2632	4392	chrome.exe	97

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\Aimmy.zip
1⤵
PID:4768

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4360

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2612
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 800 804 812 8192 808 784
  2⤵
  - Modifies data under HKEY_USERS
  PID:1224

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdc659cc40,0x7ffdc659cc4c,0x7ffdc659cc58
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1968,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1964 /prefetch:2
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2020,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2028 /prefetch:3
  2⤵
  PID:3536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2324,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2332 /prefetch:8
  2⤵
  PID:2632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3188,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:2508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3368,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4100,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3720 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4844,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=3184,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4796 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3404,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3428 /prefetch:8
  2⤵
  PID:2052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5144,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5232,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3180,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3516 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5252,i,1417392810536784988,10982166659930987579,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4484 /prefetch:8
  2⤵
  PID:3448

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4a0 0x33c
1⤵
PID:4728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Aimmy\Launcher.bat" "
1⤵
PID:4448
- C:\Users\Admin\Downloads\Aimmy\compiler.exe
  compiler.exe config
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1892
- - C:\Users\Admin\Downloads\Aimmy\compiler.exe
    "C:\Users\Admin\Downloads\Aimmy\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:3752
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 14:58 /f /tn PhotoEditorTask_ODA0 /tr ""C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe" "C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\conf.lua""
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4864
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /create /sc daily /st 14:58 /f /tn Setup /tr "C:/Windows/System32/oobe/Setup.exe" /rl highest
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1760
  - - C:\Users\Admin\Downloads\Aimmy\compiler.exe
      "C:\Users\Admin\Downloads\Aimmy\compiler.exe" "C:\Users\Admin\AppData\Roaming\tmp\conf.lua"
      4⤵
      PID:2224

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Downloads\Aimmy\Launcher.bat" "
1⤵
PID:316
- C:\Users\Admin\Downloads\Aimmy\compiler.exe
  compiler.exe config
  2⤵
  PID:584

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Aimmy\Launcher.bat
1⤵
- Opens file in notepad (likely ransom note)
PID:5060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:2456
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\Aimmy\config
  2⤵
  PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
281B

MD5
4ec59ac8f3b2ae95168c9cabd3147151

SHA1
de7d5e63c988b9c27f17a6dd8b3e2d6a1208fe2d

SHA256
165a9f3c3e0d665141953f05ec60ff6959e6b15cc50d9cb2746a26937181543b

SHA512
832e5712fa43c890d03ca4c437b11b23bd74d7c383ee095e2bc9380845f592a468fb5cd1eef7d637ae7d34a0b9bc3c11bef84e78d5c42e7ac78ca05aec026599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
cad1a8bd0ceb0b9f3481d56af6704282

SHA1
6949f7dd829ae607abf448a30ff1b11c4445fd67

SHA256
c787eff9187ad32974d9fcb0d3cafb218678cfdda1c752fa7c1d9bd2855ff7d6

SHA512
210487142baa346f713eb4937f7bc19e954b85b8db3fdf32974fbe0c0bd96bfab30e2a41c74f8ff03ebe6923d86a4568de288ceb33b610ffd72e1b24ed2544b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
979B

MD5
0c50800df69b24b7caf0976a28a61b4f

SHA1
f5981fd34c94071eff3e15648fac31a738b49803

SHA256
363c602f39fe8d0455d7cf2b354729ebb4b8beb9ef9fc670dd16a72116138231

SHA512
fd9efb76faa15480a1a85a66f7d4d2c0db026e139f55716eb1fa7e87557b03a26c59492109b087e9df368c1e37cb17026eb94ca0e3b6eaf2fb7643757ed047a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
471B

MD5
c38589a6454eb9e11e541f3a7fead912

SHA1
ea2203b750eda76db43dc3e551635470ed4b4231

SHA256
ba88529fe5b9517b4585706a73d25f89da8f988de8fd244bc2fc53f2c418ece6

SHA512
73a53e77a46b84208e206119cea759dc02572b97866c4c8dc05824ef0d1ffcaa64b97bce700583ff2e0a3839c47ff7d7bf09b51ba7f68c47a4b915a33f994667

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A66A8DB907BADC9D16AD67B2FBFFDD5C

Filesize
480B

MD5
a95579aaf3b126cb276654541f8b227f

SHA1
8cbd959d3191c9004ec8db5adcf060e8edd9011f

SHA256
2ced0556cca66cd17dcc29f2fdb9266ee33ffe4f2211329bbbbfc64da6833757

SHA512
d59cb58cf981f1379beabc17b2d58ad11da5b35a8f2ef8746c82601f7300011b536f5a96cd4f6c1429024d04510edeaf714aa46842fce9f34585e319ad601ab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
590c21b32bfa0000846e05ec1e279132

SHA1
af949939fde4bc666dd2a54dc6425787edccc3cb

SHA256
b2c705229a391d44347c13072fea2649c71b3a2b05070e25cd039409931fe992

SHA512
b749bf4f1dee27ee3b3ecdab2baa3c0a5b7ceb6e9ae6ca62f88ef01d1a89227c20dc586fe30b96eca09cd337263083ab16de3eb3d2247828b88749ae533e6f7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_B5F77004C894173A10E3A199871D2D90

Filesize
480B

MD5
f05840e72427989fbeb91149ed7f3334

SHA1
7f4fd92369374e18ad3c8f170bee971dd99a51a2

SHA256
35d0e75cb2f1f62475a68a15df4cef6ec6da2ec5fbc14632fe863922ae7bc5f1

SHA512
f16c73eae0341b2f99c6c04283a4fb6d43be4998f61f65ecfe21d70a289ed9bd1bb592a1be8945cc0ab97e3f1e527f9a7c506ebf362ea56612375b5e11f4cfc3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_CBDCCBFE4F7A916411C1E69BDD97BB04

Filesize
412B

MD5
8ec4139afc8b4839e9be2ef96c57909a

SHA1
f059fcaea03a2883c385300bbb8d95ef63dba374

SHA256
0c5a4bcc69ac0f4032c199609dce8764e80fdb56a5bc38859af151992d314133

SHA512
93a0249672ab31620eb7528cbd84aa0ed2603f94c02c44f973a6a571e07020c2599cb607a15563eacd02f94b7cdfc1e9902ece5d6f36b4244e2240ed74dc2c9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\516c3291-4792-49dc-b401-d6d451e8bde0.tmp

Filesize
8KB

MD5
0cfdec74e434c2b1314435e42782d0c6

SHA1
359c46c43e49aa3eecdacf2a6ee8a9eebc59d7c2

SHA256
28bf50a041cc1527757bada39203a49dfe6c3f8d0927b82b3033c324f15a526f

SHA512
d85c1ef966c525475fa314d67a9588c8aa3e45215fb38f414b94fd7d94bda452b8a0698bd30a2911f0cd1d3a5bd77e1ae1e4fbd677be8701af63b38a7a6968e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\985def6b-73e8-40fb-bc07-dea013531a53.tmp

Filesize
8KB

MD5
bb2e794066ca328be19026c72a391895

SHA1
426172ba575661e0365c0ba38f0ca4de7afcb444

SHA256
043f2e166fce0ef831a7d71ea93093ee9a0f9fc5ff2909da62980b042168dc1d

SHA512
8b4fe4e5e2a29d2b7edbbd6e945d32dee950905a0fd006f286e9a361b18d95b3be87ffb7244df7016d4013dd3d8ab39cb7e5bdac6dc348f6e83a975b10a624dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
312B

MD5
0630f2180461ccb0a100f7414a5a5969

SHA1
cecf2a6bcd9428ee6eabc9cc2afd8811eb2852df

SHA256
a5223a6f1c4e0e9b393c195fb1c63192547fe355d4239fccd06fbc3dd589a414

SHA512
35e7c5560406b8981aa52467d86fe0cf1ab1021252e0ffed7ec9f4021d2cb01ea65a12331c02fc5948478a4c416ecbcb70b8f7ff592de3e3af415eb69fea7d54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
60735442da228c915de05802bde17092

SHA1
b0877b0d931da81b6eec759d63ad450120b49654

SHA256
d7d2f7f6fe04b6e1df4da342c5a97629f5e625d9f7153e84f4567355c419aa83

SHA512
6363ce2430946e29b9b1b1d496b5eda801e6c9f401e12238cb6f2cd1697561e4a0c865c076048b83880da9b1badc78f8dcd293adcf996574404c4498811e66d5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
7fc24ba43e52cb1a419d321e989be1cf

SHA1
5437b8010874fd1d935767f2828960555c2c5547

SHA256
5bde015d5c82e9fc39bd6d6ee51ee209ddcdffb538d8dc096df01bd404097792

SHA512
0335cbadc77aed25c18ff4b6095b5dcce55c56ba823b9d02566c0f65a1a6694f9cf0d7321baa396f0e853bac3a5143cb13ec754f66cf0ee854b7ced1b219e85e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
857B

MD5
45f64a6bb5e67aa932d39725ad1eab41

SHA1
be122799525bb23955ff2715e26ee6ce94f3d40a

SHA256
427d272cc14cf108b0483fda3caf66cc75669077ff1d4b0796ee5d70d9c712ea

SHA512
b987706be1e8ef5a15b55f91ae3efc4e9e73ddf09fea2c6ea3f92425918209d54d50064f310891bb8c004b8350ec7e86723f1841b318fea72799f14842e39054

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
5cc6e104baeb14b43c9513cbf98eccc8

SHA1
e25230bdedad0309356bf75f547d6a0b27f0eb68

SHA256
8a5086c5b8c33d1716c8f400bf67c8119d7fa727cea8752d15378447f60fc9b3

SHA512
b428b736869960f052fe36795a3c0b8f75d92ba3014d5a40890459d4e2903bc6bca63c2252e19489697dfdc8298cd80343f39f039345e84bf64f2c3d8dd3f424

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
61c68620e983151b2501057be1d55eca

SHA1
57b57320e8df23cb87f2e2d9620b334a06dfad87

SHA256
947daaf11452ff5c13644d148140cbaf5d1eba87e74aaccd20b63646ef4bd4b7

SHA512
8de01b990ecdffd70df8988620dbfde350cf3844d0ff7f06e8aec2b40a1cb07f7468c77bb4f4a258188b7625ace65a92077498d40a7d6b02fc044003fe9e57e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d6f02ab4e76920cc06a7a76058ed77b8

SHA1
fcc2b56b4590e1981b7ed7ce249ffc5327239314

SHA256
c9aa4fd9051aa1f8f488f4a40bc07d265f677aca6b251e2dfb78f37959fee24f

SHA512
bace466fbe29d5c272d9b7ec5b09b17b715764dcb3d096f9ce6575e75f8e08f8b0488ea0224f085b99098361b3303ea9a3507392a877a6667246df182ee7a0f9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
292059dc829eff35dfd5646cba7d700b

SHA1
00d5485e5356a54c1c2e5de4cd875ba7a43d5c22

SHA256
d59281e7b7b3f32df345a21c5df4db060a96a2b95e8bff739a4ad06c56c8a967

SHA512
edc901fe3b1332822ea3108a885cba1eae99403a2ff40a7bc812b4da93a44bcf34a112411411bd6d628e81c5274b016f8f654187ba5d49a07efebcb1d4662eae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
195KB

MD5
9bf5525a8d0218e5eb41740895d602c7

SHA1
5b2b5eeea223b630e9008e99936f4e4795b0e4f4

SHA256
a1f53c408215ed90bda7332c25ad5aca23d7df719e5ec5d109141a421c294dff

SHA512
cf2660a2c9606c309e228f16a78cfcf9f6af7398bae6707915f7dcc457f033ff3af1903292bb9070de35c4988b068d036be8ab61320924abb7b3bfa57e2f2d71

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\JACP9GNT\json[1].json

Filesize
311B

MD5
9105750f17d90587cfdb3073e3db4b41

SHA1
68299e57ccb94050710511c9fba7f144af55038d

SHA256
325bea9d40295cd711d613b7dcb0958e04a537f751b177573a9c40303a4879f9

SHA512
07fcd8e2811bc7d8a481694d32a8d220a03ec99dfd8b9f55de99ff8327d392c6afbd821358b5087e29120b5a6d706f258c723585d3c69a26c1b0c385722256de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\YHMF37VK\request[1].json

Filesize
896KB

MD5
6621f92e253c53901a45c7eae20938fc

SHA1
7e3759b02202ffaef0e2e41666edf7af66360b65

SHA256
1d359835b097d15a97f9f77359939b79e7d63697eb23de72c88d39b5467fc77b

SHA512
7616351db372c1c391ba5e3cbbada8db17b5d06dc03cb064eaa27083ecf101c3b7d1757ec8dca752200cf5b7118ffdcf818c09dd20f890a0f1dc564db3d1f05e

Download Submit
C:\Users\Admin\AppData\Local\OWYsN2YsN2YsYTAsOWUsODYsOGMsOTYsNjQsN2Ms\ODA0.exe

Filesize
736.2MB

MD5
192be9e6c4fc07c09bad013dc4471291

SHA1
cd894377db429f3aa307566c5bcbe24a1c6e9761

SHA256
4dbb80e9520c268ee6aa4f808808175110143bc356a4cb6f0ed20cfbf3cbd9fd

SHA512
b08a3f77467656a8e11a36be3a1854353f03ecf3390683189f1dd3c4140fcce4a4aceaf0dff3310cb159951dbafa37c829f842b436fd69cd201dac73841fe57b

Download Submit
C:\Users\Admin\AppData\Roaming\tmp\conf.lua

Filesize
298KB

MD5
a6e82e3f005f61929f62c981670138b1

SHA1
71f15a319a5f8f353068b6463d153e7bcc4ebf23

SHA256
289b7cd5419091154d2db0c1c70e7580ccde22ebe59b03ada35e95ee6b530bd7

SHA512
0691bc3995e0bae2048c966a7f3c207cfd708fa691b2f95b85618c136ab3bb65d4201b4d9d690b3a3b7812c52c537175a91af6efcf98959ed5fca84aa7467cce

Download Submit
C:\Users\Admin\Downloads\Aimmy.zip.crdownload

Filesize
39KB

MD5
3e01b4033df90e56411e254a6c199fe7

SHA1
288bba5fdb78eb9f6402c3d7bf1bf89cd3aed444

SHA256
7a17808fc2a0ac454a4a4f4cbe1b5f862f8d8d008d4b0909f734095ef1673a25

SHA512
d29beebb7bb9f43bac2b1203a03170aa7813b946774946bf2c6d4afd3fd2a3f1e2ef1edee8140bb78f458382373388359a04a1cbe4924b069c388e6711679165

Download Submit
C:\Users\Admin\Downloads\Aimmy.zip.crdownload

Filesize
437KB

MD5
5ce64b05117855617926b1a363ba456e

SHA1
9d5a57eacd1dc324029ccb618695539abe06094f

SHA256
a46f5d08adda807b8db387efc3d745bd9eb1bacc63746128796a676c5081672e

SHA512
52e8d006a61d29c90f5e69dbbafe6e5ec83c5491009dde9340b67eb8683f91c79d772bd5a12a38a42915f9b13d04e95ccf06c84dc761e9d767f4245198cb8896

Download Submit
C:\Users\Admin\Pictures\32404286A0B54A9396206F13FD83251A

Filesize
1KB

MD5
e3b46c0161446ed49f3cdbc9cafc4b6f

SHA1
05d3035b386b1c85dfa58723b1556cfbbc6e5e2f

SHA256
26aa93946ee1c1cfe39520d3c4828ebfba01c2ebb565fb6337d8b57dec9a4b68

SHA512
9b9847e2418657ff73f76c5d14a9f7db41fdadd518418dec8e93ae6ec3137f68786ba271ae2d39b0073a1b73c633ee0cfe41b562cf34511e1a1e371b94f5f804

Download Submit
memory/1224-47-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-45-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-65-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-66-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-64-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-62-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-61-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-60-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-59-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-58-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-57-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-56-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-55-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-53-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-54-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-52-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-42-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-63-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-46-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-36-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-48-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-49-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-50-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-51-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-43-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-44-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-40-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-41-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-39-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-38-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/1224-37-0x000001C3F39D0000-0x000001C3F39E0000-memory.dmp

Filesize
64KB

Download
memory/2844-0-0x00000216EB670000-0x00000216EB680000-memory.dmp

Filesize
64KB

Download
memory/2844-32-0x00000216EFC60000-0x00000216EFC68000-memory.dmp

Filesize
32KB

Download
memory/2844-16-0x00000216EB770000-0x00000216EB780000-memory.dmp

Filesize
64KB

Download